Research on Host Intrusion Fetection Method Based on System Call Behavior Similarity Clustering

Journal of Information Security Reserach ›› 2021, Vol. 7 ›› Issue (9): 828-835.

Previous Articles Next Articles

Research on Host Intrusion Fetection Method Based on System Call Behavior Similarity Clustering

Online:2021-09-13 Published:2021-09-13

基于系统调用行为相似性聚类的主机入侵检测方法研究

李橙罗森林

（北京理工大学信息系统及安全对抗实验中心北京 100081）

通讯作者: 李橙
作者简介:李橙硕士研究生.主要研究方向为信息安全. lc_bitsec@foxmail.com 罗森林教授,博士生导师.主要研究方向为信息安全、数据挖掘、文本安全. luosenlin@bit.edu.cn

Abstract

Abstract: In the host intrusion detection method based on kernel module abstraction some system calls of the same kernel module have different behaviors，and different kernel modules also contain system calls with similar behaviors, which causes confusion of abstract mapping of behavior and affects the detection performance．This paper proposes a host intrusion detection method based on system call behavior similarity clustering．Firstly，Word2Vec is utilized to construct continuous dense word vector to extract multi-dimensional semantic similarity information of system call behavior，and then the clustering algorithm is utilized to make abstract represent of system call which reduce the confusion of behavior abstract mapping．The results of the experiment based on ADFA-LD and ADFA-WD datasets show that the method can effectively reduce the confusion of abstract mapping of behavior and improve the detection performance．At the same time，the efficiency of detection can be greatly improved by selecting different number of clusters，which has great practical value．

Key words: behavior similarity, Word2Vec, clustering, system call, host-based intrusion detection

摘要： 基于内核模块抽象的主机入侵检测方法中，同一内核模块的部分系统调用存在较大行为差异，且不同内核模块也含有行为相似的系统调用，造成行为抽象映射的混淆，影响检测效果．提出了一种基于系统调用行为相似性聚类的主机入侵检测方法，首先利用Word2Vec构建连续稠密词向量实现多维度系统调用行为语义相似性信息提取，再使用聚类算法对系统调用进行抽象表征减小行为抽象映射的混淆．基于ADFA-LD和ADFA-WD数据集的实验结果表明，方法能够有效降低行为抽象表征的混淆，提升检测效果．同时，可通过选取聚类簇数较大幅度提高检测时间效率，实用价值大．

关键词: 行为相似性, Word2Vec, 聚类, 系统调用, 主机入侵检测

李橙罗森林 . 基于系统调用行为相似性聚类的主机入侵检测方法研究[J]. 信息安全研究, 2021, 7(9): 828-835.

References

[1] Symantec．2019 Internet security threat report[EB/OL]．[2021-04-23]．https://docs.broadcom.com/doc/internet-security-threat-report-volume-24-en
[2] 朱雪冰，周安民，左政．基于家族行为频繁子图挖掘的恶意代码检测[J]．信息安全研究, 2019, 5(2)：105-113
[3] Forrest S, Hofmeyr S A, Somayaji A, et al．A sense of self for unix processes [C] //Proc of 1996 IEEE Symp on Security and Privacy．Piscataway, NJ：IEEE, 1996：120-128
[4] 冯亚玲．基于系统调用的恶意软件检测技术研究[J]．信息安全研究, 2016, 2(4)367-371
[5] Creech G, Hu J．A semantic approach to host-based intrusion detection systems using contiguousand discontiguous system call patterns [J]．IEEE Trans on Computers, 2013, 63(4)：807-819
[6] Liu M, Xue Z, Xu X, et al．Host-based intrusion detection system with system calls：Review and future trends [J]．ACM Computing Surveys, 2018, 51(5)：1-36
[7] Jose S, Malathi D, Reddy B, et al．A survey on anomaly based host intrusion detection system [C] //Journal of Physics Conf Series. Bristol：IOP Publishing, 2018
[8] Murtaza S S, Khreich W, Hamou-Lhadj A, et al．A trace abstraction approach for host-based anomaly detection [C] //Proc of 2015 IEEE Symp on Computational Intelligence for Security and Defense Applications．Piscataway, NJ：IEEE, 2015：1-8
[9] Creech G, Hu J．Generation of a new IDS test dataset：Time to retire the KDD collection [C] //Proc of 2013 IEEE Wireless Communications and Networking Conf．Piscataway, NJ：IEEE, 2013：4487-4492
[10] Ehsan A, Gursel S．Ensemble classifier for misuse detection using N-gram feature vectors through operating system call traces [J]． International Journal of Hybrid Intelligent Systems, 2017, 14(3)：141-154
[11] Zhao Y, Bo B, Feng Y, et al．A feature extraction method of hybrid gram for malicious behavior based on machine learning [J]．Security and Communication Networks, 2019, 2019(2):1-8
[12] Murtaza S S, Khreich W, Hamou-Lhadj A, et al A host-based anomaly detection approach by representing system calls as states of kernel modules [C] //Proc of the 24th IEEE Int Symp on Software Reliability Engineering．Piscataway, NJ：IEEE, 2013：431-440
[13] Mishra P，Varadharajan V, Pilli E S, et al．Vmguard：A vmi-based security architecture for intrusion detection in cloud environment [J]．IEEE Trans on Cloud Computing, 2018, 8(3)：957-971
[14] Haider W, Creech G, Xie Yi, et al．Windows based data sets for evaluation of robustness of host based intrusion detection systems (IDS) to zero-day and stealth attacks [J]．Future Internet, 2016, 8(3)：29

Research on Host Intrusion Fetection Method Based on System Call Behavior Similarity Clustering

基于系统调用行为相似性聚类的主机入侵检测方法研究

PDF

Knowledge

Abstract

Cite this article

share this article

References

Related Articles 6

Recommended Articles

Metrics

[1]	. Flow Anomaly Detection Based on Hierarchical Clustering Method [J]. Journal of Information Security Research, 2020, 6(6): 0-0.
[2]	. Research on News Topic Detection and Tracking Technology Based on Improved Single-Pass [J]. Journal of Information Security Research, 2020, 6(5): 396-403.
[3]	. Virtual Machine Introspection Technology Based on System-Call Interception [J]. Journal of Information Security Research, 2020, 6(4): 367-372.
[4]	. Improvement of AntColony Text Clustering Algorithm Based on “Intelligent Information Center” [J]. Journal of Information Security Research, 2017, 3(2): 160-165.
[5]	. A Privacy Preserving Scheme for Continuous Data Publishing Based on Clustering and Segmentation Technology [J]. Journal of Information Security Research, 2017, 3(10): 0-0.
[6]	. Research on Malware Detection Technology Based on System Call [J]. Journal of Information Security Research, 2016, 2(4): 367-371.